Risk assessment of complex information system security based on threat propagation
Gang MA1,2,Yuge DU3,Jiang RONG1,2,Jiarui GAN1,2,Zhongzhi SHI1(),Bo AN1
1. The Key Laboratory of Intelligent Information Processing, Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China
2. University of Chinese Academy of Sciences, Beijing 100049, China
3. China Information Technology Security Evaluation Center, Beijing 100085, China
This paper presents a risk assessment method based on threat propagation between assets for assessing the risks related to complex information system security. This method describes the threat propagation route between assets as a threat propagation tree, with the risk to the complex information system security assessed by the expected value loss of each node in the threat propagation tree with the probability of each step in the threat propagation tree. The accuracy of this model is evaluated by applying the model to a representative complex information system. The analysis shows that this method represents the different probabilities for different threatened nodes and the threat propagation between nodes to identiby the key protected nodes during different periods. The system is more objective and accurate than the traditional isolated node analysis method and is able to guide security risk managers to formulate reasonable security protection strategies for complex information systems.
马刚, 杜宇鸽, 荣江, 甘家瑞, 史忠植, 安波. 基于威胁传播的复杂信息系统安全风险评估[J]. 清华大学学报（自然科学版）, 2014, 54(1): 35-43.
Gang MA, Yuge DU, Jiang RONG, Jiarui GAN, Zhongzhi SHI, Bo AN. Risk assessment of complex information system security based on threat propagation. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 35-43.